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SECTION I 

INTRODUCTION 

For the past several years ESD has been involved in various 
projects relating to secure computer systems design and operation. 
One of the continuing efforts, started in 1972 at MITRE, has been 
secure computer system modeling. The effort initially produced a 
mathematical framework and a model [1, 2] and subsequently developed 
refinements and extensions to the model [3] which reflected a 
computer system architecture similar to that of Multics [4]. Recently 
a large effort has been proceeding to produce a design for a secure 
Multics based on the mathematical model given in [1, 2, 3]. 

Any attempt to use the model, whose documentation existed in 
three separate reports until this document was produced, would have 
been hampered by the lack of a single, consistent reference. Another 
problem for designers is the difficulty of relating the abstract 
entities of the model to the real entities of the Multics system. 
These two problems are solved by this document. 

All significant material to date on the mathematical model has 
been collected in one place in the Appendix of this report. A 
number of minor changes have been incorporated, most of them 
notational or stylistic, in order to provide a uniform, consistent, 
and easy- to-read reference. A substantive difference between the 
model of the Appendix and that of the references [2, 3] is the set 
of rules: the specific rules presented in Appendix have been adapted 
to the evolving Multics security kernel design. 
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Because the model is by nature abstract and, therefore, not 
understandable in one easy reading. Section II gives a prose 
description of the model. 

In order to relate the mathematical model to the Multics 
design. Section III exhibits correspondences from Multics and 
security kernel entities to model entities. 

Section IV discusses further considerations—topics which lie 
outside the scope of the current model but which are important issues 
for security kernel design. 

As background for the remainder of this document, we briefly 
establish a general framework of related efforts in the rest of this 
section. 

Work on secure computer systems, in one aspect or another, has 
been reported fairly continuously since the mid 1960s. Three periods 
are discernible: early history, transitional history, and current 
events. 

The work by Weissmann [5] on the ADEPT-50 system stands out in 
the early history period. Not only was a fairly formal structuring 
of solution to a security problem provided, but ADEPT-50 was actually 
built and operated. In this early period the work of Lampson [6] 
is most representative of attempts to attack security problems 
rigorously through a formal medium of expression. In Lampson 's 
work, the problem of access control is formulated \/ery abstractly 
for the first time, using the concepts of "subjects," "object," and 
"access matrix." The early period, which ended in 1972, understandably 
did not provide a complete and demonstrable mathematical formulation 
of a solution. 

6 
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The transitional period (1972 - 1974) is characterized by 
markedly increased interest in computer security issues as 
evidenced by the Anderson panel [7]. One of the principal results 
of this panel was the characterization of a solution to the problem 
of secure computing (using the concept of a "reference monitor") 
together with the reasoned dictum that comprehensive and rigorous 
modeling is intrinsic to a solution to the problem. This period also 
saw the development of the first demonstrated mathematical models 
[1 , 2, 13] as well as ancillary mathematical results which characterized 
the nature of the correctness proof demonstration [2, 8]. A second 
modeling effort, also sponsored by the Electronic Systems Division 
of the United States Air Force and performed at Case-Western 
Reserve University, was also undertaken in this period [9]. In 
this model, the flow of information between repositories was 
investigated, initially in a static environment (that is, one in 
which neither creation nor deletion of agents or repositories is 
allowed) and subsequently in a dynamic environment. Many other 
papers appeared during this period. An implementation of a system 
based on a mathematical model was carried out at MITRE by 
W. L. Schiller [10]. An extension and refinement of the first 
model was developed [3] to tailor the model to the exigencies of 
a proposed Multics implementation of the model; included in this 
extension was a concept promulgated at Case-Western Reserve 
concerning compatibility between the Multics directory structure 
and the classifications of the individual files. A great number of 
other computer security issues were investigated and characterized 
[11, 12, 13, 14, 15] during this time. 

Current work succeeding the work reported above is a project 
sponsored by ESD and ARPA. In this project, the Air Force, the 
MITRE Corporation, and Honeywell are working cooperatively 
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to develop a design for a security kernel for the Honeywell I'lultics 
(HIS level 68) computer system. Other significant efforts include work 
at UCLA [16], and the Stanford Research Institute [17]. 

This report summarizes, both narratively and formally, the 
particular version of the mathematical model that is relevant to 
the development of a Multics security kernel. The report not 
only presents the model in convenient and readable form, but also 
explicitly relates the model to the emerging Multics kernel design 
to help bridge the gap between the mathematical notions of the model 
and their counterparts in the Multics security kernel. 
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SECTION II 

DESCRIPTION OF THE MODEL 

The model can be viewed as having three major facets--a 
descriptive capability (the elements), general mechanisms (the 
limiting theorems), and specific solutions (the rules). In this 
section, v^e shall discuss these three facets narratively, make 
explicit the inclusions and exclusions of meaning (that is, 
interpretations) that can be correctly associated with the model 
itself rather than with its interpretation in any given context. 
A summary of the model is included in the Appendix; however 
reference to the Appendix should not be necessary for complete 
understanding of this section. 

DESCRIPTIVE CAPABILITY 

The model has the ability to represent abstractly the elements 
of computer systems and of security that are relevant to a treatment 
of classified information stored in a computer system, tjhe essential 
problem is to control access of active entities to a set of passive 
(that is, protected) entities, based on some security policy. Active 
entities are called subjects (denoted S^. individually and S 
collectively); passive entities are called objects (denoted 0. and 
0). No restriction is made regarding entities that may be both 
subjects and objects; a given interpretation of the model could have 
no subject/objects, some subject/objects, or all subjects could be 
objects. It is merely required that, when an entity's active 
(respectively, passive) role is being considered, that entity be 
constrained by the model's treatment of subjects (respectively, 
objects). 



'Note that the model is in no way restricted to a computer system 
(although that is the topic here). It has also been applied to 
physical and procedural security controls. 
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Figure 1. Subjects Accessing Objects 

As in computer systems, access in the model can assume 
different modes. The modes of access in the model are called 
access attributes (denoted _x and A). The access attributes are 
abstracted from actual access modes in computer systems. 

The two effects that an access can have on an object are the 
extraction of information ("observing" the object) and the 
insertion of information ("altering" the object). There are thus 
four general types of access imaginable: 

• no observation and no alteration; 

• observation, but no alteration; 

• alteration, but no observation; and 

• both observation and alteration. 

An access attribute for each of these possibilities is included in 
the model : 

10 
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• le access (neither observation nor alteration); 

• r. access (observation with no alteration); 

• ja access (alteration with no observation); and 

• w access (both observation and alteration). 

The symbols e^, _r, a^, and w are derived from the generalized 
access modes execute , read , append , and write , and in fact, the 
underlined words are used interchangeably with the shorter letter 
symbols. The meaning of any access attribute, however, is not at 
all constrained by an actual access mode with the same name. "^^ Rather 
each actual access mode must be analyzed and paired with the access 
attribute which matches its own access characteristics . The only 
intrinsic semantics that pertain to e^ery interpretation of the 
model access attributes are those listed in the preceding paragraph. 

It is now possible to begin a description of a system state in 
the model. The state will be expressed as a set of four values, each 
referred to as a component. 

The first component of a system state is the current access set , 
denoted b. A current access by a subject to an object is represented 
by a triple: 

(subject, object, access-attribute). 

This triple means that "subject" has current "access-attribute" 
access to "object" in the state. The current access set b is a 
set of such triples representing all current accesses. 

The next element of a system state within the model concerns a 
structure imposed on the objects. What we stipulate is that a 



'Note that this abstract notion of "execute" access is not what is 
typically implemented (enforced) by computer hardware since the 
results of the execution reflect the contents and thus constitute 
"observation" of the executed element. 

11 
ToleammoreL _n and OCR goto Th i^ 



parent-child relation be maintained which allows only directed, 
rooted trees and isolated points as shown: 





D 



Figure 2. The Desired Object Structure 

This particular structure is desired in order to take advantage of 
the implicit control conventions of and the wealth of experience 
with logical data objects structured in this way. The construct used 
is called a hierarchy (denoted H and H)-, a hierarchy specifies the 
progeny of each object so that structures of the type mentioned are 
the only possibilities. 

The next state component which we consider involves access 

permission . Access permission is included in the model in an access 

. t 
matrix f'. 



'Notice that M is a matrix only in the model's conceptual 
sphere: any interpretation of H which records all the necessary 
information is acceptable. 
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Figure 3. An Access Matrix 



The component M. . records the modes in which subject S. is 

' J 1 

permitted to access object 0.. Thus the entries of M are subsets 
of the set A of access attributes. 



The last component of a system state is a level function, the 
embodiment of security classifications in the model. In a 
military or governmental environment, people and documents can 
receive two types of formal security designations: one is 
classification or clearance (unclassified, confidential, secret, 
and top secret are usual) and the other is formal category (such as 
Nuclear, NATO, and Crypto). A total security designation is a pair: 

(classification, set of categories). 

Such a pair we call a "security level." A necessary condition for 
an individual's possession of a document is that his security level 
must dominate the security level of the document. One level 
dominates another: 
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(class 1, category-set 1) dominates (class 2, category-set 2) 
if and only if 

class 1 is greater than or equal to class 2 and 
category-set 1 includes category-set 2 as a subset. 

This rather complicated requirement is abbreviated in this discussion 

by using abstract security levels (denoted L^ and L) and a dominance 

ordering » (read "dominates") which is required to be a partial 

+ 
ordering. 

The classification of subjects and objects assigns to each subject 
and to each object a security level. The (maximum) security level of 
a subject S^. is denoted "fs(S^-)" in the formal development in the 
Appendix, but for the purposes of this section will be denoted 
"level (S^.)-" Similarly, the security level of an object 0. is 
denoted formally and informally as fQ(0.) and level (0.)- One 
further assignment to subjects identifies the current security 
level of the subject. The current level allows a subject to operate 
at less than its maximum security level, a feature that is \/ery 

important under some of the security constraints to be developed 

tt 
later. The current security level of a subject S. is denoted 

fj,(S^. ) and current-level (S^.); it is required that level (S.) dominate 
current-level (S. ). 



That the relation » must be a partial ordering requires only that 
1) L dominates L for e^ery level L ; 2) L dominates L and 

« U U U V 

L^ dominates L^, then L^^ dominates L^; and 3) if L and L^^ 
dominate each other, then they are the same. 

In particular, the current security level makes feasible the 
requirement that high-level information not be put into low-level objects. 

14 
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A triple of security level assignment functions (f^, f^, fp) or 
(level (•)» level (•)» current-level (•)) is called a level function 
and is denoted f(or, collectively, F). 

A state of the model is a 4-tuple of the form: 

(current access set, access permission matrix, level 
function, hierarchy). 

The model notation for a state is (b, M, f, H). 

We refer to inputs to the system as requests (R. and R) and 
outputs as decisions (D and D). The system is all sequences of 
(request, decision, state) triples with some initial state (Zq) 
which satisfy a relation l»! on successive states. 

The system defined in this way can be used in two ways— analysis 
and synthesis. The use of the model for analysis involves: 

1. the specification of R and D for the system 
being analyzed, and 

2. the determination of K'. 

The operation of the system of concern can then be addressed by 
examining the relation W which characterizes the system as a 
model. The use made of the model in the security kernel design 
work is synthesis: the job involves first the specification of 
system characteristics that we desire to be maintained, and then 
the definition of a relation W that is sufficient to the task. 
The definition of an appropriate relation W is the topic of 
SPECIFIC SOLUTIONS; we conclude this discussion with an exposition 
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of the system characteristics that we desire to be maintained. 
These characteristics we speak of collectively as "security." 

The first aspect of security which we consider is the simple 
security property (ss-property hereafter). The ss -property is 
satisfied if every "observe" access triple (subject, object, attri- 
bute) in the current access set b has the property that level (subject) 
dominates level (object), fiore concisely, the ss-property stipulates 
that if (subject, object, observe-attribute) is a current access, 
then level (subject) dominates level (object). 

The ss-property is the strict interpretation of the current 
security regulations for documents, with one modification. In a 
document system, "access" refers to physical possession which 
implies the ability to extract information. Where there is the 
possibility of access without observation, as in this model, access 
does not necessarily imply the ability to extract information. 
Hence, the security regulations for documents were applied in the 
model only to attributes that entail observation (viz. w and r). 

The ss-property was considered to be the whole of security in 
our early efforts at modeling [1]. A brief look at the expected 
interpretation of the model will show that this property is indeed 
only a "simple" statement of the problem. 

The expected interpretation of the model anticipates 
protection of information containers rather than of the information 
itself. Hence a malicious program (an interpretation of a subject) 
might pass classified information along by putting it into an 
information container labeled at a lower level than the information 
itself. 
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high level object-1 



flow 

of 

information 



^ j low level object-2 



Figure 4: Information Flow Showing the Need for *-Property 

Thus, another security property, called the *-property (for historical 
reasons), is added to the ss-property in the specification of 
"security." The *-property is satisfied if: 

in any state, if a subject has 

simultaneous "observe" access to object-1 and "alter" 
access to object-2, then level (object-1) is dominated 
by level (object-2). 

This definition clearly disallows the situation pictured (Figure 4), 
Under this restriction, however, the levels of all objects accessed 
by a given subject are neatly ordered: 



level (a;-accessed-object) dominates level (w-accessed-object); 
level (w-accessed-object-1 ) equals level (w-accessed-object-2); and 
level (w-accessed-object) dominates level (r-accessed-object). 



read "star-property. " 
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Thus the definition of *-property is now refined in terms of 
current-level (subject): 

in any state, a current access (subject, object, attribute) 
implies: 

level (object) dominates current-level (subject) if 

attribute is a^; 
level (object) equals current-level (subject) if 

attribute is w; and 
level (object) is dominated by current-level (object) 

if attribute is r_. 

There are two important comments to be made about the *-property. 
First, it does not apply to trusted subjects: a trusted subject is 
one guaranteed not to consummate a security-breacmng information 
transfer even if it is possible. Second, it is important to 
remember that both ss-property and *-property are to be enforced. 
Neither property by itself ensures the "security" we desire. 

There is one further aspect of security that we address: the 
problem is called discretionary security and it is also based on 
current military/ governmental policy (known as "need-to-know"). The 
enforcement of classification/clearance matching is mandated by executive 
order, directive and regulation: an individual may not exercise his 
own judgment to violate this standard. Similarly, the enforcement of 
categories (also called formal need-to-know compartments) is mandatory. 
These two restrictions make up nondiscretionary security policy and are 



The topic of trusted subjects is treated at more length in 
Section IV. 
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embodied in the model as the ss-property and *-property. Discretionary 
security policy allows an individual to extend to another individual 
access to a document based on his own discretion, constrained by non- 
discretionary security policy: that is, discretionary security policy 
allows an individual to extend access to a document to anyone that is 
allowed by non-discretionary security to view the document. 

This exact property is included in the model in the discretionary 
security property (ds-property). A state satisfies the ds-property 
provided every current access is permitted by the current access 
permission matrix M. More specifically, the ds-property, requires 
that: 

if (subject-i, ob,1ect-j, attribute-x) is a current access 
(is in b), then attribute-x. is recorded in the 
(subject-i, object-j) - component of M (x is in M..). 

The term "discretionary" security is appropriate in the context of 
the specific solutions of this model since the capability to alter 
M (the permission structure) is included in the model. 

Note that restrictions of the concept of security will not 
require reproof of the properties already established because 
additional restrictions can only reduce the set of reachable states. 
The notion of "security" was purposefully made extensible in this 
way to allow for later refinements of the concept of security. "'^ 

GENERAL MECHANISMS 

This discussion of the general mechanisms of the model is 
tripartite. First, the "inductive nature" of security within the 



f 
Some discussion of other security- related topics which might be 

included in later definitions of security is given in Section IV. 
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model is established. Then a general construct— the rule— for the 
modular specification of system capabilities is defined. Finally, 
the relation of rule properties to system properties is established. 

The first general result in the model is the basic security 
theorem (Corollary Al in the Appendix). This theorem states that 
security (as defined) can be guaranteed systemically when each 
alteration to the current state does not itself cause a breach of 
security. Thus security can be guaranteed systemically if, whenever 
(subject, object, attribute) is added to the current access set b, 
then: 

1. level (subject) dominates level (object) if 

attribute involves observation (to assure the 
ss-property); 

2. current-level (subject) and level (object) have 

an appropriate dominance relation (to assure the 
*-property); and 

3. attribute is contained in the (subject, object) 

component of the access permission matrix I"! 
(to assure the ds-property). 

We say that the basic security theorem establishes the "inductive 
nature" of security in that it shows that the preservation of 
security from one state to the next guarantees total system 
security. 

The importance of this result should not be underestimated. 
Other problems of seemingly comparable difficulty are not of an 
inductive nature. The problems of data- and resource-sharing, for 
example, are not inductive. In fact, the most trivial example of 
deadlock (Figure 5) can arise in any nontrivial sharing system that 

20 
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Figure 5. Deadlock 

decides immediately to grant or deny a request for access. 
Resolution of this problem requires knowledge of future possibilities, 
queues of requests, and process priorities [18]. The result, 
therefore, that security (as defined in the model) is inductive 
establishes the relative simplicity of maintaining security: the 
minimum check that the proposed new state is "secure" is both 
necessary and sufficient for full maintenance of security. 

The second step of constructing general mechanisms within the 
model is a direct consequence of the basic security theorem. Since 
the systemic problems of security can be dealt with one state 
transition at a time, a general framework for isolating single 
transitions was devised. This framework relies on the "rule," a 
function for specifying a decision (an output) and a next-state for 
every state and every request (an input): 



(request, current-state) 



rule 



T^(decision, next-state). 
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The idea is to analyze each class of requests separately in a rule 
designed to handle that particular class. To provide clarity, no 
two rules (in a given system) are allowed to specify non-trivial 
changes for a given (request, current-state) pair; total system 
"response" to the pair (request, current-state) is then defined as 
the response of the rule written to handle the request. This frame- 
work allows different approaches to a given class of requests to be 
worked out independently in different rules. A final set of rules 
to specify a desired system could be chosen to reflect idiosyncratic 
needs; the only restriction is that rules with overlapping 
responsibility cannot be used together. This approach gives the 
model a modular flexibility which can be of great use in tailoring 
the model to a particular application, as illustrated by Section III. 

The last development which is classed a general development 
centers on the relation of rule properties to system properties. It 
has been shown that the entire system specified by a set of rules 
satisfies all three security properties--the ss -property, the 
*-property, and the ds-property--provided each rule itself 
introduces no exception to these properties. Moreover, the 
requisite demonstration that a rule preserves security can in most 
cases be reduced to the direct consideration of the small number 
of state alterations involved in the given state transition (Corollary 
A3 in the Appendix). 

In summary, the general mechanisms of the model: 

• bound the scope of investigation to single transitions of state; 

• provide the ability to investigate desired features of the 
system independently of one another using the rule framework; 
and 
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• reduce the systemic problem to very restricted rule-based 
problems of the preservation of security properties over 
one transition. 

SPECIFIC SOLUTIONS 

The rules presented in this document represent one specific 
solution to the requirement for a "secure" computer system. This 
particular solution is in no sense unique, but has been specifically 
tailored for use with a Mul tics-based information system design. For 
this use, the solution has to satisfy two requirements: the 
provision of generally useful functions and appropriate accommodations 
to the effects of the Mul tics design on an implementation of this 
model . 

A number of general functions can be suggested for any computer- 
based information system. With reference to the model described 
earlier, the functions can be grouped in four classes: 

• functions to alter current access (the set b); 

• functions to alter the level functions (the values 

level (subject), level (object), and current-level (subject)); 

• functions to alter the current access permission structure 
(the matrix M); and 

• functions to alter the object structure (the hierarchy H). 

This list covers changes to each of the elements of a system state 
in the model. Our particular solution includes the capability to 
cause the following changes to the system state: 
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• altering current access: 

* to set access (add a triple (subject, object, 
attribute) to the current access set b), and 

• to release access (to remove an access triple from 
the current access set b); 

• altering level functions: 

* to change object level (to change the value of 
level (object) for some object), and 

* to change current level (to change the value of 
current-level (subject)) ; 

• altering access permission: 

* to give access permission (to add an attribute to 
some component of the access permission matrix M), 
and 

• to rescind access permission (to delete an attribute 
from some component of the access permission matrix 
M); and 

• altering the hierarchy: 

• to create an object (to attach an object to the 
current tree structure as a leaf), and 

• to delete a group of objects (to detach from the 
hierarchy an object and all other objects "beneath" 
it in the hierarchy). 

Section III presents a more detailed discussion of the particular 
rules presented in this document. 

These rules reflect several characteristics of the Multics 
operating system. The main Multics characteristic that affects the 
model is the hierarchical object structure which has been mentioned 
previously. The principal reason for the inclusion of the 
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hierarchy in the model is the desire to disturb the Multics operating 
system as little as possible while adding the capability to process 
simultaneously information of varying security levels. The basic 
Multics mechanisms for access control rely heavily on the object 
structure: to retain that basic structure it is necessary to 
investigate our restrictions on access control in the Multics setting 
of an object hierarchy--that is, in the setting of Multics control 
structures. 

The second Multics characteristic involves the physical 
counterpart of the access permission matrix M. This structure (called 
the Access Control List (ACL) in Multics), its location, and its 
manipulation have direct effects on the capability to get access, to 

give access, and to rescind access in Multics. The Access 

^ -j- 

Control List in Multics is a list of "(process, ring bracket)" pairs 
(for our purposes here, the Multics analogue of subjects) allowed to 
access a segment (that is, an object) and the modes of access allowed. 
There is one Access Control List for every segment/object. Thus the 
information contained in the Access Control List for object-j includes 
the information contained in the j-th column of the access permission 
matrix M in the model. The most important fact about the Multics 
ACLs is that they are contained in a segment's parent directory (parent 
object in the model) and are manipulated by manipulation of the object's 
parent. Hence, "control" over an object (to extend access, to rescind 
access, or to destroy the object althogether) is equivalent in Multics 
to write permission to the object's parent. Moreover, since "creation" 
of a segment in Multics is the insertion of a new entry (called a 
"branch") in a directory segment, the "control" over creation is 
equivalent to write or append access (that is, read/write or pure-write 
access) to the directory segment that will be the parent of the created 
segment (directory Z in Figure 7). 



"^The entry into the ACL by process is actually indirect: a process 
maps to a "user-id" (essentially a set of processes associated with 
a particular user) which in turn maps to an ACL entry. To simplify 
the exposition here, this indirect entry is represented directly. 
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Figure 6. The Correspondence of M Columns to ACLs 
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Figure 7. The "Creation" of a Segment in Multics 

These Multics characteristics are taken into account in the 
model's rule where, for example, a request to give access to an object 
is allowed only if (among other things) the requesting subject has 
current w access to the parent of the object (implying that the usual 
Multics operation of extending access can be carried out). 
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Figure 8. The Need for Compatibility 
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The way access to an object is carried out in Hultics is the 
final characteristic reflected in the model. A user request to 
access a segment causes the user's surrogate (his process) to access 
e^ery object in the hierarchy in the path from the root directory 
(the object Oj^ in the model) to the segment of interest. This 
fact implies that in the situation shown in Figure 8, an unclassified 
subject would have to observe the secret object O, in order to 
access the unclassified object O2: an unclassified subject cannot 
observe the secret object 0, because of the ss-property. Moreover, 
the *-property combined with the requirement to "write" in 0, in 
order to "create" object O2 make any situation similar to that in 
Figure 8 useless. Hence, it is required in the rules of the model 
that the security level of an object dominate the security level of 
its parent. The rules to allow creation of objects and to cause 
changes in an object's security level reflect this requirement, which 

4. J, 

is termed "compatibility." 

The rules of this document provide a particular specification 
for a secure computer system that supplies a full complement of 
information processing capabilities while matching the special 
requirements of the Multics operating system environment. 



Remember that if the two levels are the same, this requirement is met. 



tt 

The concept termed "compatibility" here was initially proposed and 

investigated at Case Western Reserve University [9]. 
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SECTION III 

MORPHISM FROM MULTICS TO MODEL 

INTRODUCTION 

The discussion of the correspondence of the fiultics security 
kernel design to the mathematical model t will be phrased in terms 
of a "morphism;" this stance is taken because of the verification 
strategy that has been proposed for the Multics kernel design [19]. 

A morphism is a mapping from one system to another which 
preserves one or more operations of the system. This concept can 
be stated mathematically in concise form. Exposition of the 
concept is better achieved by example. Suppose [I, +, •] is the 
following algebraic system: 

I is the set of integers from to 9. 

+ is the ordinary arithmetic sum operator except addition is 

to be done modulo 10; that is, ordinary sum equal to 

10 becomes 0, 11 becomes 1, 12 becomes 2, and so 

forth. 
• is the ordinary arithmetic product operator except 

multiplication is to be done modulo 10. 

Suppose [A, ®, 0] is the following algebraic system; 

A is the set of letters a, b, c, d, e. 

© is a binary operator defined as follows: 



tThe term "model" refers specifically to the model presented in the 
Appendix. 
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a any letter in A 

b © a = b 

b © b = c 

b © c = d 

b © d = e 

b © e = a 



that letter 


c © c 


= e 




c © d 


= a 




c © e 


= b 




d © d 


= b 




d © e 


= c 




e © e 


= d 



which can be shown in table form: 



® 


a 


b 


c 


d 


e 


a 


a 


b 


c 


d 


e 


b 


b 


c 


d 


e 
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c 


c 
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d 
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e 
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b 
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e 


e 


a 


b 


c 


d 



G is a binary operator defined by: 
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Now define the mapping M from the system [I, +, •] to the system 
[A, ®, ©] as follows: 
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— ^ a 

1 — b 

2 — c 

3 — d 

4 — e 

5 — a 

6 — b 

7 — c 

8 — d 

9 — e 

M is then a morphism from [I, +, •] to [A, 0,0] since it "preserves" 
the operations of + and •. This means that the value of the 
expressions i + j and i • j in the system [I, +, •] have corresponding 
values in [A,(+), G)] under the mapping M which is the same as the value 
obtained by (± ing and Qing the elements in [A,'+), (3] which 
correspond under M to i and j in [I, +, •]. Symbolically we 
can express this as follows: 

M (i + j) = M (i)® M (j) and M (i • j) = M (i) 0M (j). 

By inspecting the previous definitions we can verify, for example, 
that: 

M(l + 3) = M(4) = e and 
m)C+ M(3) = b(± b = e so 
M(l + 3) = M(l)(t M(3), 

Similarly, 
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M(7 • 3) = H(7) © M(3) since 
M(7 -3) = M(l) = b and 
M(7) © M(3) = c © d = b. 

The "preservation" property of M can be shown diagrammatically: 



I X I 



M X M 



A X A' 



® 



-^A 



I X I- 



A 



M X M 



A 



© 



■^A 



These diagrams are said to be "conmutative." In each, one can get 
from I X I to A by two paths; each path leads to the same 
place, that is, given two elements in I (an ordered pair in I x i) 
the same element in A is arrived at by both paths. 

The math model of a secure system is like the system [A, ©, Q]. 
Corresponding to the set A is a set of elements of the model. The 
analogy is most enlightening if we consider elements in A to 
correspond to states in the model. Corresponding to the operators 
© and © is a set of eleven rules. The Multics system we shall 
discuss is like the system [I, +, •]. Corresponding to the set I 
is a set of elements of the system; again, consider the latter to be 
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states of the system. Corresponding to the operators + and • is a 
set of algorithms. Now, just as v;e established a morphism from 
[I, +, •] to [A, ®, @], we wish to establish a morphism from 
Multics to the model. In other words, given a set of algorithms 
for "secure" operation, which correspond to rules of the model, we 
wish to establish a mapping from the elements of Multics to the 
elements of the model in such a way that the algorithms (operations) 
are preserved. For each algorithm we wish to be able to specify a 
commutative diagram; for example: 



algorithm 3 




In this document the mapping M is partially specified. The algorithms 
then are to be so specified as to be able to show that M preserves 
operations; this specification is outside the scope of this report. 

In the remainder of this section we identify the elements of 
Multics and then show a preliminary correspondence of the identified 
elements to the elements of the model. It remains for future effort 
to show that the correspondence is a morphism. 

ELEMENTS OF A SECURE MULTICS 

State Elements 

Corresponding to a state (b, M, f, H) in the model is a set 
of information structures in Multics. The following correspondences 
have been identified: 
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segment descriptor words ^ 

access control lists- ^M 

information in directory segments 

and special process security ^f 

level tables 
branches ^H . 

An element (S. , 0., _x) in b indicates that subject S^. has current 
access to object 0. in access mode x^. In Multics the same 
information is contained in a descriptor segment base register (DSBR), 
a temporary pointer register (TPR), and a segment descriptor word (SDW). 
An address field in the DSBR is a pointer to the head of the descriptor 
segment for the process (subject) that is currently running on the 
processor to which the DSBR belongs. The TPR gives an offset, in the 
descriptor segment, to the SDW associated with the segment (object) 
to which the process has access. In the SDW is a field which indicates 
access permission (namely, read, execute, or write). When a process 
is ready or waiting (not running) the information in the DSBR and TPR 
is saved in the active segment table. 

In case the object referred to in a triple of the form (S. ,0.,_x) 

tt 
is something other than a segment, say a socket , correspondences 

like those shown above must pertain. 

^ 

An entry a. . = {r, w} in M indicates that subject S^. has 
read and write permission with respect to object 0.. Suppose 0. 

J J 

is a data segment. In Multics this information is kept in an 
access control list. An access control list has the following form: 

^The Multics described in this report is derived from Organick's The 
Multics System [4]. Multics, as an evolving system, currently may not 
fit this description, but at this writing, the variations were of little 
importance to the discussion. 

'^^The term "socket" denotes a connection from a process to a physical 
device for input or output operations. 
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G 



user identification 



mode of access 



ring bracket 



user identification 



mode of access 



ring bracket 



D 



c 



b 



and so forth. 



The access control list (ACL) together with other information (e.g. 
physical location) makes up a branch. A collection of branches is 
a directory segment. Corresponding to a. . then we have: 




\ 



Si 


r , w 


rinq 


bracket 


, 1 



'and so forth, 



"^Currently, ring brackets are associated with segments rather than 
ACL's; this presentation follows Organick. 
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The security level function f 
components: 



of the model has the three 



s- 



maximum security level of subjects; 



fp.* current operating security level of subjects; W,|- 



/1.l^i 



i'U^i^ 



security level of objects. 






J 



,A 









For example, fnCO,-) 



confidential means that 0. is cTassified 

J 



i f i c) 



confidential. This information would be kept in a .d>r'ectory 
segment in Multics, perhaps'lis" Im^^extFris^T^ bra,nd:j< Speci 
information structures for representing Kfo) and f fp ; have not yet^ 
been chosen at this writing; we postulate^'appropri^^ tables 
at a high level of abstraction for establishing correspondence to 
the model. 



The hierarchy H of the model is structured to reflect the 
tree structure among segments realized by branches in Multics; 
correspondence is quite straightforward. If 0. and 0. are 
objects in the model and H(0.) includes 0-, then 0. is the 
parent of 0.; the Multics structural equivalent of this situation 

J 

is shown in Figure 9. 







branch 



branch 



directory segment 



data segment 




di rectory 
segment 



Figure 9. Multics Hierarchy Equivalent 
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With respect to the model, the Multics link is considered a 
shorthand for a symbolic pathname: therefore, it introduces no 
additional structure. 

ROOT 




Figure 10. The Interpretation of Links 

From directory A in Figure 10, the symbolic name "D" is 

shorthand for ">B>D." 

Subjects and Objects 



A^process^ring pair (process, ring) in Multics corresponds to a 
subject in the model. Corresponding to objects in the model are, at 
least, directory segments, data segments, certain I/O devices, certain 
address spaces, and sockets. ~^ 
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Attribute Elements 

The set A ={r, e, w, a) is used in the model for access mode 
designation with the following meanings: 

r~read; observe only 

e^~execute; neither observation nor alteration 

w--write; observe and alter 

a^-append; alter only. 

For data segments in Multics the usage attributes correspond as 

follows: 

Multics Model 

read > r 

execute ^ ri, e^ 

read and write > w 

v/rite > IL* 

'"or directory segments the correspondences are: 
Multics Model 

status >r_ 

status and modify ^w 

append >§_ 

search > e^. 

For other objects in Multics the access attributes have not yet 
been specified sufficiently to permit exact correspondences to be 
established at the time of this writing. 

Corresponding to the set C = {C-i , Cg C^} of 

classifications in the model is a set of classifications in Multics; 
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top secret >C, 

secret^ > Cp 

confidential ■> Co 

unclassified ^^ C^, 

Corresponding to the categories K = {K, , Kp, . . ., K } of the 
model is a set of formal categories in Multics. The four 
classifications above have been adopted for general use [5]; the 
formal categories used in any particular installation will vary. 
For example, an installation might establish the correspondence: 



NATO^ 5^ K^ 

CRYPTO > K2 

NOFORN -» K3. 

For the present implementation, a maximum of 7 categories has been 
adopted as the standard. 

SECURITY PROPERTIES IN A SECURE MULTICS 



With the Multics/model element correspondences as a foundation, 
the examination of a secure Multics can proceed with an examination 
of the properties of Multics which will be deemed "security" 
properties. Among these properties are the Multics analogues of the 
security properties in the model; the identification of other 
security properties in Multics is also included here. 

The first model property reflected in a secure Multics is the 
ss-property , or simple-security property. This property embodies the 
military/governmental policy on disclosure, tailored to a computer 
environment. In the model, the ss-property requires that e\/ery current 
access involving observation (an element (subject, object, observe- 
attribute) in the current access set b) must imply that the level of 
the subject dominates the level of the object observed 
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(level (subject) » level (object)). In Multics, an SDW in an active 
segment's descriptor segment with the r indicator on indicates a 
current observe for that process. (Recall that in Multics "read" 
is the only observe access to data segments; "status" plays the 
identical role for directory segments.) Thus, for an active process, 
compliance with the ss-property means that the r (or s) indicator 
is on only in those SDWs where the level of the process dominates 
the level of the segment described by the SDW (see Figure 11). For 
an inactive process, compliance with the ss-property means that on 
activation the currently stored process information would conform to 
the requirements for an active process. 

In the model, the *-property places restrictions on current 
access triples (subject, object, attribute) based on the value of 
current-level (subject). Specifically, 

• if attribute is read , current-level (subject) dominates level (object); 

• if attribute is append , current-level (subject) is dominated by 
level (object); 

• if attribute is wri te , current-level (subject ) equals 
level (object) ; and 

• if attribute is execute , current-level (subject) and 
level (object) have no required relation. 

In Multics, the *-property can be phrased for active processes, the 
requirement for inactive processes being, as for the ss-property, 
that on activation the restrictions on active processes be satisfied. 
For any SDW of an active process's descriptor segment, the current- 
level of the process: 

• must dominate the level of a segment having the r indicator 
on and the w indicator off (respectively, the s indicator 
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on and the m indicator off) as shown for segment-1 in 
Figure 12. a; 

• must be dominated by the level of a segment having the r 
indicator off and the w indicator on (respectively, the 
s indicator off and the a indicator on) as shown for 
segment-2 in Figure 12. b; 

• must equal the level of a segment having both the r and 
w (respectively, s and m) indicators on (segment-3 in 
Figure 12. c); 

• must dominate the level of a segment having the e indicator 
on and the w indicator off (segment-4 in Figure 12. d). 

In the model, the ds-property requires that every current access 
(a triple (subject, object, attribute) in the current access set b) 
be permitted by the current access permission matrix M (attribute is 
an element of the (i, j)-component of M). The exactly analogous 
condition in Multics is required for the satisfaction of the 
ds-property. For every SDW and every access indicator that is on 
in the SDW, the branch in the segment's parent to the segment 
described by the SDW has the same access indicator on. In Figure 13, 
a, = ON implies g, = ON; a^ = ON implies gp - Ol^i ^nd a, = ON implies 
gj = ON. Note that (a^ a^, a^) = (ON, OFF, OFF) and 
Bp ^2' ^3^ ^ ^^^' ^^' ^"^^ satisfy the ds-property. Note that the 
maximum access permitted need not be present in the SDW. As before, an 
inactive process is required to be described dormantly so that on 
activation the above condition holds true. 

There are several other important security properties being 
considered in the development of a secure Multics. Two important 
correlative properties are sabotage and communication paths. 
"Sabotage" in this context means the malicious alteration or 
destruction of data, especially data related to the operation of 
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critical programs. The matter of communication paths centers on the 
possibility of information transmission using observable system 
characteristics and a prearranged code to semaphore critical 
information to an undercl eared subject/process. Neither of these 
topics is directly addressed by the mathematical model, although both 
can be satisfactorily resolved using the model as a paradigm; 
discussion of these security properties is included in the section 
FURTHER CONSIDERATIONS. 

RULES or OPERATION FOR A SECURE MULTICS 

Kernel primitives for a secure Multics will be derived from 
a higher level user specification and will serve to match the user 
specification to the particulars of the Multics architecture. Current 
planning is based on the desire to change the Multics architecture 
as little as possible; this will account to a large extent for 
radical differences in form between actual kernel primitives and 
the rules of the model. 

In the interests of exposition and better understanding, a set 
of imaginary kernel primitives is presented here. They are essentially 
a transliteration of the model rules using Multics terminology and 
elements. In this exposition the get-access rules of the model are 
translated into separate kernel functions, one for each of read, 
write-only write, execute attributes of the model. In Multics the 
current operation is such that only one access function serves: when 
a segment fault occurs (for example, as a result of a load or store), 
an SDW is created, if possible and allowable, with all allowable bits 
on (the r, e, and w indicators) which are on in the user's ACL. 

Another difference between the set of model rules and the projected 
kernel primitives is that there will be neither a change-subject- 
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current-security-level nor a change-object-security-level kernel 
primitive. Nevertheless, descriptions of these rules as well as the 
other nine rules of the model will be given here. 

For purposes of exposition each informally specified kernel 
function is given a name of the form kernel function i (kfi) with 
kfl corresponding the rule 1, kf2 corresponding to rule 2, and so 
forth. Objects will be considered to be data segments; similar 
operations would pertain for other objects. 
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kernel -function 1 : get-read 
Request has the elements: 

(a) get-access 

(b) process-id 

(c) segment-id 

(d) read 

Process process-id requests that access to data segment 
segment-id in usage mode read be enabled. 

The following conditions are checked: 

(i) the ACL (in the directory segment which is the parent of 
segment-id unless segment-id = Root) lists process-id with 
read usage (for segment-Id). 

(ii) the security level of process-id, as given in the 

security level table, dominates the security level of 
segment-id, as given in the branch extension in the 
directory segment which is the parent of segment-id. 

(iii) process-id is a trusted subject or the current security 
level of process-id, as given in the current security 
level table, dominates the security level of segment-id. 

If conditions (i) - (iii) are met, then a segment descriptor 

+ 
word (SDW) is added to the descriptor segment of process-id. The 



"''if the SDW already exists, then the following actions are still 
appropriate— essentially the appropriate access mode bit is turned on 
in the existing SDW. This remark pertains in following rules also. 
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SDW has the read bit on, is pointed to by a temporary pointer register 
(TPR), and points to segment-id. The process-id receives an affirmative 
response. 



Otherwise process-id receives a negative response from the 
kernel. 
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kernel function 2 ; qet-write-otil.y 
Request has the elements: 

(a) get-access 

(b) process-id 

(c) segment-id 

(d) write. 

Process process-id requests that access to data segment 
segment-id in usage mode wri te be enabled. 

The following conditions are checked: 

(i) the ACL in the directory segment which is the parent 
of segment-id lists process-id with write usage. 

(ii) process-id is a trusted subject or the security level 
of segment-id dominates the current security level of 
process-id. 

If conditions (i) - (ii) are met, then a SDW is added to the 
descriptor segment of process-id. The SDW has the write bit on, is 
pointed to by the TPR, and points to segment-id. The process 
process-id receives an affirmative response. 

Otherwise process-id receives a negative response from the 
kernel . 
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kernel function 3 : get-execute 

From the viewpoint of usefulness (not security), this function is 
appropriate only if the segment identtfied in the request for access is 
a procedure segment. 

Request has the elements: 

(a) get-access 

(b) process-id 

(c) segment-id (procedure-id) 

(d) execute 

Process-id requests that execute access to procedure-id be 
enabled. 

An appeal to rule kfl is made with "execute" replacing "read" 
in condition (i) and in the action description. 
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kernel-function 4 : get- re ad-write 

One of a number of possible forms for kf4 is shown here. 
Request has the elements: 

(a) get-access 

(b) process-id 

(c) segment-id 

(d) read and write 

Process-id requests that read and write access to segment-id be 
enabled. 

Action of kf4: 

(a) appeal to kfl 

(b) if response from kfl is affirmative then appeal to 
kf2; otherwise response is negative 

(c) if response from kf2 is affirmative, then response 
is affirmative; otherwise, response is negative. 
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kernel -function 5 : rel ease-read/execute/wri te 
Request has the elements: 

(a) release-access 

(b) process-id 

(c) segment-id 

(d) usage attribute 

Process-id requests that read, execute, or wri te access to 
segment-id be disabled. 

The read, execute, or write bit in the SDW pointed to by TPR 
is turned off. If no other access bits are on, then the SDW is 
removed from the descriptor segment of process-id. 
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kernel-function 6 : gi ve-read/execute/wri te 
Request has the elements: 

(a) give-access 

(b) requesting-process-id 

(c) receiving-process-id 

(d) segment-id 

(e) usage-attribute (read, execute, or write) 



Requestinq-process-id gives to receiving-process -id usage- 
attribute access to segment-id . 



The following conditions are checked: 






(i) neither the parent of segment-id nor the segment ^^ ^M'^- 
segment-id itself is the root of the directory '^ /^K'- 

hierarchy and the SDW for the parent of segment-id 
has the write indicator on. 



(ii) the segment segment-id is the root object of the 

directory hierarchy or is directly inferior to the ' < J> 

root and requesting-process-id is allowed to give j:> Cj *''''"'" ^ 
access permissign to the segment in the 
current state. 

If either condition (i) or condition (ii) is met and segment-id 
is not the root object, then an entry is added to the ACL in the 
directory segment which is the parent of segment-id; this ACL lists 
receiving-process-id with usage-attribute usage (to segment-id). If 
condition (ii) is met and segment-id is the root, then permission 
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for receiving-process-id to access segraent-id in usage-attribute 
mode is recorded. Reques ting-process-id receives an affirmative 
response. 

Otherwise reques ting-process-id receives a negative response. 
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kernel -function 6 : give-read/execute/write 
Request has the elements: 

(a) give-access 

(b) requesting-process-id 

(c) receiving-process-id 

(d) segment- id 

(e) usage-attribute (read, execute, or write) 

Reques ting-process- id gives to receiving-process-id usage- 
attribute access to segment-id . 

The following conditions are checked: 

(i) neither the parent of segment-id nor the segment 
segment-id itself is the root of the directory 
hierarchy and the SDW for the parent of segment-id 
has the write indicator on. 



(ii) the segment segment-id is the root object of the 
directory hierarchy or is directly inferior to the 
root and requesting-process-id is allowed to give 
access permission to the segment in the 
current state. 

If either condition (i) or condition (ii) is met and segment-id 
is not the root object, then an entry is added to the ACL in the 
directory segment which is the parent of segment-id; this ACL lists 
receiving-process-id with usage-attribute usage (to segment-id). If 
condition (ii) is met and segment-id is the root, then permission 
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for receiving-process-id to access segment-id in usage-attribute 
mode is recorded. Requesting-process-id receives an affirmative 
response. 

Otherwise requesting-process-id receives a negative response. 
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kernel-function 7 : rescind-read/execute/write 
Request has the elements: 

(a) rescind-access 

(b) requesting-process-id 

(c) receiving process-id 

(d) segment-id 

(e) usage-attribute 

Requesting-process-id takes from receivinq-process-id usage- 
attribute access to segment-id . 

The conditions checked are the same as the conditions of kf6 
except, of course, "rescind" replaces "give" in condition (ii). 

If either condition (i) or condition (ii) is met, then the usage- 
attribute is removed from the receiving-process-id's ACL entry in the 
directory segment which is the parent of segment-id; if no other 
usage attributes are left in this entry, then the entry is deleted. 
Requesting-process-id receives an affirmative response. 

Otherwise a negative response is given. 
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kernel -function 8 : create-object 
Request has the elements: 

(a) genera te-leaf-segment 

(b) process-id 

(c) segment-id 

(d) security-level (sec-level) 

Process process-id requests that a segment be added to the 
directory hierarchy directly below directory segment segment-id ; the 
added segment is requested to have level sec- level . 

The follovn'ng conditions are checked: 

(i) the SOW in the descriptor segment corresponding to the 
directory segment-id has the w bit turned on. 

(ii) sec-level dominates the security level of segment-id, 
which is recorded in the branch to segment-id, found 
in its parent directory. 

If conditions (i) - (ii) are met, then a branch is created in 
segment-id to the created segment, using a supplied name, say 
new- segment ; the level of new-segment is set to sec-level. The 
process process-id receives an affirmative response. 

Otherwise, process-id receives a negative response from the 
kernel . 
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kernel function 9 : del ete-object-qroup 
Request has the elements: 

(a) process-id 

(b) segment-id 

Process-id requests that segment- id be deleted (detached from 
the directory hierarchy). This results in deletion of all segments 
in the directory hierarchy which are inferior to segment-id. 

The following condition is checked: 

(i) same conditions as condition (i) of kf6. 

If the condition is met, then the following recursive algorithm 
is invoked: 

(i ) set current-segment-id to segment-id. 
(ii) if there are no branches in current-segment-id then 
do the following: 

(a) delete all SDWs which refer to current-segment-id. 

(b) delete current-segment-id from the hierarchy. 

(c) delete the branch of current-segment-id in 
its parent directory segment. 

(d) set current-segment-id to the segment-id of the 
parent of the segment just deleted. 

(e) if current-segment-id refers to the parent of 
segment-id (the original segment-id), then 
finished; else do action (ii). - 
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otherwise, set current-segment-id to the segment-id 
given in any branch and do action (ii). 
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kernel-function 10 ; chanqe-subject-current-security-level 
Request has the elements; 

(a) process-id 

(b) sec-level 

Process process- id requests that its current security level be 
changed to sec-level . 

The following conditions are checked; 

(i) process-id is listed in a table of trusted processes 
or for every SDW for a segment in the descriptor 
segment for process-id, 

• if the r indicator is on, sec-level dominates the 
level of the segment, and 

• if the w indicator is on, sec-level is dominated 
by the level of the segment. 

(ii) the security level of process-id, given in the security 
level table, dominates sec-level. 

If conditions (i) - (ii) are met, then the current security 
level of process-id in the current-security-level table, is changed 
to sec-level. The process process-id receives an affirmative 
response. 

Otherwise, process-id receives a negative response from the 
kernel . 
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kernel-function 11: chanqe-object-securlty-level 
Request has the elements: 

(a) revise-security-level 

(b) process-id 

(c) segment-id 

(d) sec-level. 

Process process-id requests that the security level of segment-id 
be revised to the value sec-level . 

The following conditions are checked: 

(i) process-id is a trusted process and the current security 
level of process-id, recorded in the current security 
level table, dominates the security level of segment-id, 
found in the branch to segment-id in segment-id's parent 
directory, 

(ii) for every SDW for a process and segment-id that has the 
r indicator on, the current level of process in the 
current-security-level table dominates sec-level. 
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(iii) for every SDW for a process and segment-id that has the 

w indicator on, sec-level dominates the current level 

of process , 
(iv) the security-level field of every branch in segment-id 

dominates sec-level and sec-level dominates the level of 

the parent of segment-id, 
(v) process-id is allowed to change segment-id's security 

level . 

If conditions (i) - (v) are met, then the security-level field 
of the branch to segment-id found in the parent directory of segment-id 
is changed to sec-level. The process process-id receives an 
affirmative response. 

Otherwise, process-id receives a negative response from the 
kernel . 
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SECTION IV 
FURTHER CONSIDERATIONS 



INTRODUCTION 



In this section we discuss topics that are related to the mathe- 
matical model only indirectly. The first of these is the concept of 
"trusted subjects": an attempt is made here to explicate the func- 
tional characteristics of trusted subjects and the formal justifica- 
tion required to make a subject "trusted." The other topics discussed 
are problems that might admit modeling in an extension of the current 
model but that have not been investigated in this way. These topics 
are "communication paths" (the indirect disclosure of sensitive in- 
formation), "sabotage" (the deliberate alteration or destruction of 
sensitive information), and "integrity" (a property addressing approved 
modification of information). 

The topics covered in this section become important in the 
certification and implementation phases of the development of a secure 
computer system. Moreover, resolutions of the problems have not been 
devised as yet. Hence, the discussion in this section will attempt 
to identify the issues, making use of specific examples in a Multics 
environment in the exposition. The discussion will of necessity not 
provide definitive answers: the intent is to formulate the questions. 

TRUSTED SUBJECTS 

Within the model, trusted subjects are those subjects not 
constrained by the *-property. Outside the model, a subject, to be 
designated "trusted," must be shown not to consummate the undesirable 
transfer of high level information that *-property constraints pre- 
vent untrusted subjects from making. The demonstration that a process 
can be a "trusted" process is the concern of this discussion. 
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It is important to emphasize here that a "trusted subject" is 
only required not to copy high-level information into a low-level 
segment (object). It is also important to guarantee that the operation 
of a trusted subject (procedure) cannot be used as a medium of clan- 
destine communication. That is, trusted subjects are not involved in 
communications paths, a topic we will discuss in a later section. The 
focus here is on "trustedness" — not copying information into in- 
appropriate objects. 

A sufficient (but not necessary) condition for declaring a 
process trusted is that the process is conceptually equivalent to a 
set of subprocedures each of which performs an operation constrained 
by the *-property and then chooses a successor. For example, the simple 
procedure: 

P: DO WHILE A; 

IF B THEN D: = E; 

ELSE F: = G; 

END; 

H: = I; 

END; 
is conceptually equivalent to the subprocedures PI , . . 

and organized as shown: 



P6 defined 



P6 



H: 




DO WHILE A 



<r 



P2 



D: = E 



\ 

IF B 

zri 

E I F: 



P5 



CONTINUE 



P4 
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If none of the subprocedures violates the *-property (using the minimal - 
conceptual current access for each Pi), then P itself would not 
violate the *-property, even if, say, A were top secret and H were 
confidential. 



Two remarks are in order. First, the division into subprocedures 
here is possibly overdone. If, for instance, D, E, and F are 
secret, B is confidential, and G is unclassified, then 
subprocedures P2, P3, P4 and P5 could be combined into a single 
subprocedure P7. P could then be represented as follows: 



PI 



■4— 



DO WHILE A 



P7 



^^ < / 

IF B THEN D;. = E; 

ELSE F: = G; 



P6 



Since P7 does not violate the *-property, P could be shown not 
to violate *-property using this subdivision also. The merits of 
subdivision to instruction level vs. subdivision only as needed can 
be worked out to suit individual tastes; the result will be the same 
in either case. 

The second point to be made about this type of demonstration is 
that the condition that the process be equivalent to a number of 
subprocedures obeying the *-property constraints is not necessary for 

/ \he establishment of trusted processes. In particular, if and when 
Vf alsemantically correct "write-down" from a high-level file to a 
\ / Tow-level file can be guaranteed, the process responsible could be 
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demonstrated to be trusted. The latter situation leads directly to 
the formulary concept, which is treated at some length elsewhere [20]. 

EXTRA-MODEL SECURITY PROPERTIES 

Communication Paths 

The first extra-model security property to be discussed is 
communications paths. By this term is meant the indirect disclosure 
of sensitive information, as opposed to the direct disclosure of 
information which is addressed by the security properties of the 
model. Indirect disclosure can be effected by transmitting data 
piecemeal using observable system characteristics as the code medium. 

A large number of observable system characteristics can be 
used to transmit information, frequently a bit at a time. Possibly 
the most difficult medium to rule out as a communication path is 
real time: intervals of real time, delimited by prearranged 
observable events and varied by using the system, can be used to 
transmit information in bit strings (see Figure 14). 



event 



event 



event 




event 



event 



event 



v 



interval 1 
1 



interval 3 interval 4 interval 5 
1 1 



real- 
time 



Figure 14. Communication Using Real-Time Intervals 
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Examples of system uses to vary real-time intervals are computing- 
to-IO ratios and paging rate. There is the possibility that 
synchronous paths cannot be entirely eliminated from any system that 
shares data. Examples of this type of communication can be found in 
B. W. Lampson's discussion of system-performance information channels 
[21] and Lipner's discussion of improvements (viz., lowering bandwidths 
of paths) [23]. 

Indirect communication using nonsynchronous paths remains a 
very complicated problem. Since a nonsynchronous path must make 
use of files, system variables, and the like to transmit a message, 
close and careful consideration of e\/ery possible action in a system 
will discover every nonsynchronous communication path. Within the 
model, however, there is no guidance for this enumerative exercise. 
In addition, the exercise itself can involve very subtle interactions 
of a number of objects.''' Two examples will be presented to demonstrate 
the subtleties involved. Both examples involve the capability to 
create and destroy objects. 

Suppose in the first instance that secret-process can create 
and destroy confidential segments whose existence can be detected by 
confidential -process (see Figure 15). 



(seer 



cret-process 



creates/destroys 



confidential -segment 




^ seen or ^nf i denti al -procej; 

not seen by 



Figure 15. An Example of a One-Bit Message 
tA description of a solution to this problem may be found in [22]. 
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A string of such confidential segments could easily be used to 
transmit a bit string to a confidential process, by destroying those 
segments which correspond to zeroes in the bit string (Figure 16). 
This situation is clearly undesirable. 
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Figure 16. The Transmission of the Bit-String 10110 



For the second example, suppose that confidential -process is 
denied a request to destroy a confidential directory vf there is a 
secret segme nt infe rior to it (see Figure 17). 

_ request to ■ confidential segment 

:onfidenti al -process 




Figure 17. Another One-Bit Message 
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In this case, secret-process can alter the system's response to a 
request to destroy the confidential segment by creating or destroying 
a subordinate secret segment. This situation too is undesirable. 

Neither of these situations is possible in the secure Multics 
design. The first example is disallowed by compatibility: to 
destroy a segment one must read/write the segment's parent which, by 
compatibility, has a level lower than or equal to that of the 
segment itself. The second example is disallowed because the 
destruction of objects specified by rule 9, delete-object-group, 
does not prohibit a confidential process from destroying a secret 
object inferior to the root object of the destroyed subtree. 
However, the care with which creation and destruction algorithms 
must be designed illustrates the complexities of enumerating the 
full list of objects which can be used in nonsynchronous communications 
paths. 

Sabotage and Integrity 

Sabotage, in this context, means undesired alteration or 
destruction of information by the purposeful action of an agent; 
integrity is a property determined by approved modification of 
information. To clarify the meanings of the two terms "sabotage" 
and "integrity" the intended meanings of the adjectives "undesired" 
and "approved" must be explicated. An alteration or destruction of 
information is undesirable if the intended and well-intentioned 
users of the system deem it so; a modification is approved if these 
same users consider the resulting semantic content of the modified 
information to be correct. Hence, in the context of information 
stored in a computer-based information system, sabotage and 
integrity are closely related- 
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An act of sabotage can have two principal effects: improper 
functioning of the system and incorrect semantic content. An 
integrity policy attempts to prevent acts of sabotage within the 
information system or to localize the effects to an acceptable 
degree. 

Work on a model or integrity policy implementation is proceeding 
at MITRE [23]. A major problem is to specify an acceptable and 
appropriate policy to govern the modification of data segments. We 
consider here a simple model of integrity, leaving policy largely 
unspecified, in order to further the exposition of the problem. 

Suppose that a set S of "integrity levels" is given: consider 
as an example the set: 

nonsensitive < sensitive < critical < \i^T)i critical 

The semantics of these terms is suggestive; the integrity policy is, 
nevertheless, not specified by them since they are not formally Si 

defined. Suppose further that integrity level functions, analogous ^i>^ b|^ 
to security level functions, are defined: UM£i4^^''-^ , f C&v^^f^C^( '^*" 

I5: {subjects} ^{integri^levels} and ^\^'' -.^^ ^^""^^ 

Iq: {objects} ^{integrity levels}. t ^0 Ma^^ Ia T ^.-^ . 

I5 (subject) denotes the maximum integrity level of an object that ^f) v* 
subject is allowed to modify; IgC object) denotes the minimum level I 
of any subject that is allowed to modify object . 

Redefine a state v of the system by the inclusion of 
I = (Is. Iq): 
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V = (b, M, f, I, H). 

We can define a simple- integrity-property (si -property), analogous to 
the ss-property, as follows: 

a state satisfies the si-property provided for e^ery current 
alter-access (subject, object, alter-attribute), the 
integrity level of subject (^(subject)) is greater than or 
equal to the integrity level of object (I-,(object)). 

More formally, v = (b, M, f, I, H) satisfies the si-property 
provided: 

[(S., 0-, x_) in b and _x in {w, a^}] 
implies 13(5.) > Iq(Oj). 

There is an alternative formulation of the si -property, as there is 
for the ss-property: 

the state v = (b, M, f, I, H) satisfies the si-property 
provided every (S., 0., _x) in b satisfies the simple- 
integrity condition relative to I (SIC rel I) ; (S., 0., _x) 
in b satisfies SIC rel I provided (x^ = w or _x = a^) 
implies that IgCS^O ^ Iq^^j^' 

Given the above extension of the model, needed modifications 
to the rules of operation are obvious; moreover, intuition indicates 
that assuring the si-property systemically is inductive and can be 
accomplished by demonstrating si-property preservation over one 
state change (as is the case for secure state preservation). No 
analogue to the *-property exists, since the problem of information 
transfer within the realm of disclosure has no analogue in the 
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realm of sabotage. Finally, an inverse compatibility property for 
the hierarchy seems attractive; this would dictate that the 
integrity level of objects be monotone non-increasing on paths away 
from the root. This latter property relates to "localizing" damaging 
effects of sabotage action. Actual sabotage of sensitive-directory 
in Figure 18 indirectly sabotages inferior segments, which are 
necessarily nonsensitive or sensitive under inverse compatibility; 
the effect of sabotaging sensitive-directory by a sensitive process 
running amok would not extend to its parent, critical -directory , 
nor to unrelated segments such as critical-segment , sensitive-segment , 
and nonsensitive-segment . 



on 



ROOT 
{s&T)i critical) 




sensitive-segment 



:ri ti cal -di rectory 



critical -segment 




sensitive- 
di recto rv 



nonsensitive- 
segment 
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sensitive- 
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Figure 18. The Subtree Affected by Sabotage of Sensitive-Directory 
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APPENDIX 
Introduction 

The formal mathematical model is presented in this Appendix. 
No interpretation or explanation is offered, except as subsequently 
noted. The intended interpretations and correspondences to Multics 
architectural elements are given in the body of this report. In 
the section of this Appendix on rules, a narrative statement of each 
rule is given in order to reduce the reader's inconvenience in 
dealing with highly abstract symbology and in order to provide a 
natural language statement of intention by which errors or policy 
misdirections in the formal statements may be more easily discovered. 

Elements 

The elements of the mathematical model are presented in Table 1. 
Some items are not self-explanatory and they are explained here. 

partial ordering relation x: 

A relation R is a partial ordering relation if R is 
reflexive , antisymmetric , and transitive . 

Suppose that U is a set and R is a binary relation defined 
on U, with elements of U denoted by small letters a, b, c, . . 
etc. 

reflexive : R is reflexive if xRx for each x in U. 

antisymmetric : R is antisymmetric if [xRy and yRx] implies 
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X = y (x is identically y) for each x and y in U. 
(In other words, we have xRy and yRx (symmetry) only 
in case x = y.) 

transitive : R is transitive if [xRy and yRz] implies 
xRz for each x and y and z in U. 



L = {L,, Lp, . . ., Lp} where L. = (C, K) and C. is in 
C and K is a subset of K. Define the relation » on L as 
follows: 



(L., L.) e x> = L. 30 I. = (C., K) » (C^., K' ) iff 



(i) C. > Cy and 



(ii) K£K 



D 1^' 



Since both ">" and "d" are partial orderings, a straightforward 
argument shows that "»" is also a partial ordering. 



Suppose C = {S, C, U}, S > C > U, and K = {K^ , K2, K3} 
and L^ = (S, {K^, K2}), L2 = (s, {K^}), L3 = (C, {K^, K2}), 
L4 = (C,{K^}), Lg = (S, {K2, K3}, Lg= (C, {K2}), and L7=(U,{K^}), 
The partial ordering of these elements of L is illustrated as a 
digraph in Figure Al . l ,. 




-> E 30 



Figure Al : Illustration of ». 
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Suppose [U, R] is a partially ordered system. An element 
m in U is called a minimal element in U if mRx implies xRm 
for each x in U; if m is unique it is called a minimum. For 
[L, »], as in the previous example, there are three minimal 
elements, (U, K-,), (U, K2). and (U, K3) and there is no minimum. 
If K' = K u {(f)}, then (U,(t)) is a minimum in [C x K',»]. 



the notation A 



B. 



Suppose A and B are sets. The notation A denotes the set 

of all functions from B to A. Suppose A = {a, b} and B = {1, 2}; 

p 
then A consists of 

f■^ = {(1. a), (2, b)}, 

f2 = {(1, b), (2, a)}, 

f3 = {(1, a), (2, a)}, and 

f/i = {(1. b), (2, b)}. 



cartesian product : 

Suppose A and B are sets. The cartesian product of A and 

B, denoted A x B, is defined by 

A X B = {(a, b): a e A and b e B}, 



i.e., A X B is the set of all ordered pairs of the form (a, b) 
where a is in A and b is in B. Suppose A = {a, b} and 
B={1,2}. Then AxB={(a, 1), (a, 2), (b, 1), (b, 2)}. Notice 
that BxA={(l,a), (2, a), (l,b), (2, b)} ?« A x B. Notice 



also that 



f, c B X A, 



1 



defined above. 
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the notation PX : 

Suppose X is a set, say X = {a, b, c}. PX means the set of 
all subsets of X. In this case, PX = {<|), {a}, {b}, {c}, {a, b}, 
{a, c}, {b, c}, {a, b, c}} where <|) denotes the empty set. 

hierarchies : 

Suppose f/9 (PO)^ where = {0^ , O2, O3, 0^, Og). Restrict 
membership in H by the conditions (1) and (2) (see Table 1 , entry 
for H). Define H e K as follows: 

H = {(0^, {O2, O3}), (O2, <!)), (O3 {O4, O5}), (O4, <!,), (O5, ^)}. 



H can be described also by a diagraph: 






Condition (1) rules out a structure such as 
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and condition (2) rules out a structure such as 




If an element of K imposes a forest structure on the objects with 
exactly one tree, as in the example, we Identify the root of the 



tree by the notation 
that object in 



Or 



for which 



If H is a tree structure then Or, is 



R 



H(Op) f i> and 



Oj^ i H(0) for any e 0. 



If 0. is an object in then 

J 



s(j) 



denotes that object with 



respect to H such that 0. e H(0 a.x); in other words ^.y is 

by H. 



"superior" to 0. 

J 



Sys tem 



Suppose that WCRxDxVxV. The system 
X (R, D, W, Zq)c X X Y X Z is defined by 



(x, y, z) e i;(R, D, W, z^) iff 



(x^, y., z., z . _, ) e W for each t in T, 
where z is an initial si 



of the form ((f), M, f, H). 



where z is an initial state of the system, usually 



Properties 

We define properties in terms of the members of a state sequence. 
We then say that the system has a specified property if each state of 
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every state sequence of the system has the property. The following 
notation is defined. 

b(S: X , ^, . . ., z^) = {0: (S, 0, x) e b or 

(S, 0, ^) e b or 



(S, 0, z) e b} 

simple-security 

A state V = (b, M, f, H) satisfies the simple-security property 
(ss-property) iff 

S € S=>[(0 e b (S: r, w)) =>(f5(S) » f^CO))]. 

It is convenient also to define: 

(S, 0, x_) e b satisfies the simple security conditio n rplative 
to f (ssc rel f) iff 

(i) _x = e^ or a^, or 

(ii) x=rorw and f^CS) » f^CO). 

Then it is easily shown that a state v = (b, M, f, H) satisfies 
ss-property iff each (S, 0, x) e b satisfies SSC rel f. 

*- property 



Suppose S' is a subset of S. A state v = (b, M, f, H) 

'^atisfies the *-propertv relative to S' iff 
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S e S'=>} 



(0 £ b(S: a))^(fQ(0) 30 f^(S)) 
(0 £ b(S: w))=>(fQ(0) = fJS)) 
(0 £ b(S: r))=$>(fJS) xf^CO)), 



An immediate consequence is: if v satisfies *-property rel S' 
and S e S' then 

[Oj £ b(S: a) and 0^ e b(S: r)] ^fo(Oj) » fQ(0,^). 

discretionary-security 

A state V = (b, M, f, H) satisfies the discretionary-security 
property (ds-property) iff 

(S., Oj, x) £ b => X £ M.j. 

secure system 

A state V is a secure state iff v satisfies the ss -property 
and *-property rel S' and ds-property. A state sequence z is 
a secure state sequence iff z is a secure state for each t e T. 
Call (x, y, z) e £{?., D, W, z ) an appearance of the system, 
(x, y, z) € E{R, D, W, z ) is a secure appearance iff z is a 
secure sequence. Finally, L{R, D, W, z ) is a secure system iff 
e^ery appearance of L{R, D, W, z ) 
definitions pertain for the notions. 



every appearance of X(R, D, W, z ) is a secure appearance. Similar 



(i) the system X(R, D, W, z ) satisfies the ss-property, 
(ii) the system satisfies *-property rel S' , and 



(iii) the system satisfies the ds-property. 
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Definition of Rule 

A rule is a function p: R x V -> D x V. A rule therefore 
associates with each request-state pair (input) a decision-state 
pair (output). 



A rule p is secure-state-preserving iff v* is a secure 

state whenever p (R. , v) = (D , v*) and v is a secure state. 

K in 

Similar definitions pertain for the notions 

(i) p is ss-property-preserving, 

(ii) p is *-property-preserving, and 

(iii) p is ds-property-preserving. 

Suppose u) = {p,, pp, ...» p } is a set of rules. The 
relation W(u)) is defined by 

(R|^, 0^, V*, v) e W(u)) iff D^ f ? and 

(D|^, V*) = p^. (R, , v) for a unique i, 1 < i < s. 

Theorems 

(R^. , D., V*, v) e R X D X V X V is an action of LiR, D, W, z^) 
iff there is an appearance (x, y, z) of X(R, D, W, z ) and some 
t € T such that (R^., D^, v*, v) = (x^, y^, z^, ^t-})' 

theorem Al : 

X(R, D, W, z ) satisfies the ss-property for any initial 
state z which satisfies ss-property iff W satisfies the following 
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conditions for each action (R., D., (b*, M*, f*, H*) , (b, M, f, H)): 

(i) each (S, 0, x) e b*-b satisfies the simple security 
condition relative to f* (SSC rel f*); 

(ii) each (S, 0, x) e b which does not satisfy SSC rel f* 
is not in b*. 

argument : 

(<=) 

Suppose z = (b, M, f, H) is an initial state which satisfies 
ss-property. Pick (x, y, z) € D(R, D, W, z ) and write 
z^ = (b^*^ M^*\ f^*^ H^^h for each t € T. 

z, satisfies ss-property 

(x,, y, , z,, z ) is in W. In order to show that z, satisfies 

I I I /-I \ 1 

ss-property we need to show that each (S, 0, x) in b^ ' satisfies 
SSC rel f^^^ 

Notice that b^^ ^ = (b^^^ - b^^^U (b^°^ n b^^^) and 
(b^^^ - b^^h n (b^^^ n b^^h = ^. Suppose (S, 0, x) is in b^^^ 
Then either (S, 0, x) is in (b^^^ - b^°^) or is in (b^^^n b^°^). 
Suppose (S, 0, x) is in (b^^^ - b^^'). Then (S, 0, x) satisfies 
SSC rel f^^^ according to (i). Suppose (S, 0, x) is in 



(b^°^ n b^^^). Then (S, 0, x) satisfies SSC rel f^^^ accordi 
to (ii). Therefore z, satisfies ss-property. 



ng 
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if z 



.^ _ 1 satisfies ss-propert.y, then z. satisfies ss-property . 



The argument given for "z, satisfies ss-property" applies with 
"t-l" substituted for "0" and "t" substituted for "1". 



By induction, z satisfies ss-property so that the appearance 
(x, y, z) satisfies ss-property. (x, y, z) being arbitrary, 
2)(R, D, W, Zq) satisfies the ss-property. 

(=>) 

Suppose X(R, D, W, Zq) satisfies the ss-property for any 
initial state Zq which satisfies ss-property. 

Argue by contradiction. Contradiction yields the proposition 

"there is some action (x., y., z., z ,) such that either 

(iii) some (S, 0, x) in b^*' - b^*"^' does not 

satisfy SSC rel f^*' or 

(iv) some (S, 0, x_) in b^ ~ ' which does not 

satisfy SSC rel f^*^ is in b^*^ i.e., is 
in b(t-i)n b(*^" 

Suppose (iii). Then there is some (S, 0, _x) in b^ ' which 
does not satisfy SSC rel f(*). Suppose (iv). Then there is some 
(S, 0, x) in b^*' which does not satisfy SSC rel f^*'. Therefore 
z. does not satisfy ss-property, (x, y, z) does not satisfy 
ss-property, and so L{R, D, W, Zq) does not satisfy ss-property, 
which contradicts initial assumption of the argument. 
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The argument is complete. 

theorem A2 : r(R, D, 11, Zq) satisfies the *-property relative to 
S'c S for any initial state Zq which satisfies *-property relative 
to S' iff W satisfies the following conditions for each action 
(R., Dy (b*, M*, f*, H*), (b, M, f, H)): 

(i) for each S e s' , 

(a) € (b* - b)(S:a) => fQ*(0) » f^*(s), and 

(b) € (b* - b)(S:w) => fQ*(0) = f^*(S), and 

(c) € (b* - b)(S:r) => f^*(S) » f^*(0); 

(ii) for each S e S' , 

(a') [0 € b(S:a) and fQ*(0) ^ f^*{S)] => 
4 b*(S,a.), and 

(b-) [0€ b(S:w) and fQ*(0) / f^*{S)] => 
^ b*(S,w), and 

(c') [0 € b(S:r) and f^*(S) ?6 f^HO)} => 
i b*(S:r). 

argument : 

Suppose Zr. = (b, M, f, H) is an initial state which satisfies 
♦-property rel S'. Pick (x, y, z) in r(R, D, W, Zq) and write 
z^ = (b^*^ M^*^ f^^\ U^^h for each t € T. 
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z, satisfies *-property rel S' 

(x, , y, , z,, Zq) is in W. in order to show that z^ 
satisfies *-property rel S' we need to show that: 



(iii) S e S'^. 



e b(^)(S:a)=>f^^^)(0)» f^^^)(S) 
e b^^\s:^!i)^fJ^^\o) = f^^^Hs) 
e b(^^S:r)=?> f^^^^(S) » f^^^^O) 



Suppose (S, 0, x) e b^ S S e 5', x e {a_, w, r}. Then either 
(S, 0, x) is in (b^^) - b^^)) or (S, 0, x) is in (b^^^ n b^^^). 
Suppose (S, 0, x) is in (b^^^ - b^°^). Then (iii) is satisfied 
according to (i). Suppose (S, 0, x) is in b"^n b^^^ Then (iii) 
is satisfied according to (ii). Therefore z, satisfies *-property 
rel S'. 

if z ._i satisfies *-property rel S' , then z ^. satisfies 
*-property rel S' 

The argument given for "z, satisfies *-property rel S'" 
applies with "t-1 " substituted for "0" and "t" substituted for 



By induction, z satisfies *-property rel S' so that the 
appearance (x, y, z) satisfies *-property rel S' . (x, y, z) 
being arbitrary, i:(R, D, W, Zq) satisfies *-property relative to 
S". 

(=>) 

Suppose i:(R, D, W, z^) satisfies *-property relative to S' 
for any initial state Zq which satisfies *-property rel 5'. 
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Argue by contradiction. Contradiction yields the proposition 

"there is some action (x^, y^, z^, z^_^) such that either 

(iv) (i) is false or 
(v) (ii) is false." 

Suppose (iv). Then there is some S e S' such that (a) is false or 
(b) is false or (c) is false. Then z^ does not satisfy *-property 
rel S'. Suppose (v). Then there is some S e S' such that (a') is 
false or (b') is false or (c') is false. Then z^ does not satisfy 
♦-property rel S'. This leads to "(x, y, z) does not satisfy 
♦-property rel S' and so z(R, D, W, Zq) does not satisfy 
♦-property rel S'", which contradicts initial assumption of the 
argument. 

The argument is complete. 

theorem A3 : z(R, D, 14, Zq) satisfies the ds -property iff Zq 
satisfies the ds-property and W satisfies the following condition 
for each action (R., D^, (b*, M*, f*, H*), (b, M, f, H)): 

(i) (S,, ., x) e b* - b => X e M* .; and 
aa — — a»a 

(ii) (Sg, Og,, X ) e b and xi M*^^, => (S^, 0^,, x) i b*. 

(<=) 

If (S , ,, x) e b^^^ - b^°^ X e M, ^^\, by (1), Suppose 
aa a,d 

(S , ,, x) e b^^^n b(°\ If X ^ M^ ^^\. then (S^, 0^,, x) ih^^K 
a 9 / \ 

contrary to our supposition. Thus x e M^^ g,. 
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(S, ., X) s b^l) = (b^l) - b^O)) u (b^^^n b^^h, X e M (;l and 

a a — a jd 

z, satisfies the ds-property. 

Suppose e(R, D, W, Zq) satisfies the ds-property. 

Argue by contradiction. Contradiction yields the proposition 

"there is an initial state z^ satisfying the ds-property and 
there is some action (x., y., z+, z. ,) such that there 
is some (S,, . , x) e b^^^ such that x ^ M^''^ .." 

a a — — a J a 

Therefore z. does not satisfy ds-property, (x, y, z) does not 
satisfy ds-property, and so 5:(R, D, W, Zq) does not satisfy 
ds-property, which contradicts the initial assumption of the 
argument. 

The argument is complete. 

corollary Al : z(R, D, W, Zq) is a secure system iff Zq is a 
secure state and W satisfies the conditions of theorems Al , A2, 
and A3 for each action. 



theorem A4 ; Suppose w is a set of ss-property-preserving rules 
and Zq is an initial state which satisfies ss-property. Then 
D(R, D, W (o)), Zq) satisfies ss-property. 

argument 

Suppose D(R, D, W (w), Zq) does not satisfy ss-property. 
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Then there is (x, y, z) in s(R, D, W (o)), Zq) which does not 
satisfy ss-property. Suppose t is the least element of T such 
that z. does not satisfy ss-property . Since Zq satisfies 
ss-property, t > 0. By choice of t, z., satisfies ss-property 
and z._i f z.. By definition of s(R, D, W (co) , Zq), 
(x^, y., z^, z^_^) e W (o)). By the definition of W (o)), there is 
some rule p e co such that p{x^, z+.-i ) = (y^j z^). Since z^_i 
satisfies ss-property and p{x^, z+i ^ ~ (-^t' ^t^ ^""^ ^ ^^ 
ss-property-preserving, z ^ satisfies ss-property . The contradiction 
shows that s(R, D, W (co), Zq) satisfies ss-property. 

The argument is complete. 

theorem A5 : Suppose to is a set of *-property preserving rules 
and z^ is an initial state which satisfi 
s(R, D, W (to), Zq) satisfies *-property. 



and Zq is an initial state which satisfies *-property. Then 



argument : The argument is that of theorem A4 with the substitution 
of *-property for ss-property. 



theorem A6 : Suppose to is a set of ds-property preserving rules 
and Zq is an initial state which satisfies ds-property. Then 
s(R, D, W (to), Zq) satisfies ds-property. 

corollary A2 : Suppose to is a set of secure-state-preserving 
rules and Zq is an initial state whic 
s(R, D, W (to), Zq) is a secure system. 



rules and Zq is an initial state which is a secure state. Then 



theorem A7 : Suppose v = (b, H, f, H) is a state which satisfies 
ss-property, (S, 0, x) ^ b, b* = b u {(S, 0, x)}, and 
V* = (b*, M, f, H). Then v* satisfies ss-property iff 
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(i) (x = £ or X = a^) or 

(ii) (x = r or X = w) and f (S) » f (0). 

argument 

(=>) 

Suppose V* = (b*, M, f, H) satisfies ss-property. Then 
e b* (S:r, w)=>fg(S) » f^(0) by definition. Therefore (1) or 
(ii) holds since x e {£, w, r_, a). 

(<=) 

Suppose (i). Then v* satisfies ss-property since v does. 

Suppose (ii). Then for any S e S we have 
* (S:r, w)=>fg(S) » f^(o) since 
Therefore v* satisfies ss-property. 



e b* (S:_r, w)=>fg(S) » fQ(0) since v satisfies ss-property 



theorem A8 ; Suppose v = (b, M, f, H) is a state which satisfies 
♦-property rel S' c S, S e S', (S, 0, x) ^ b, 
b* = b u{(S, 0, x)}, and v* = (b*, M, f, H). 

4- 

V* satisfies *- property iff 



(1) if x=a., then fQ(0)»f(S); 

(ii) if X = w , then fj,(S) = fQ(S); and 

(ill) if X = r, then f (S) » f (0). 

— — c 



. t "rel S'" is understood. 
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argument ; 

(=> ) Suppose V* satisfies *-property. The definition of *-property 
applied to S, and (S, 0, ><_) yields conditions (i), (ii), and 
(iii) directly. 

(<=) Suppose conditions (i) - (iii) hold. Let (S., 0.,^)f b* 
with S. e S*. If (S., 0., ^) e b, the *-property conditions 
hold for f by the assumption that v satisfies *-property. If 
(S., Oj, ^) ^ b, (S., Oy ^) = (S, 0, x) and the *-property 
conditions hold by the initial assumption of conditions (i) - (iii). 
Hence v* satisfies *-property as desired. 



theorem A9 ; Suppose v = (b, M, f, H) is a state which satisfies 

ds-property, (S^. , 0^, x) O, b* = b U{(S^., 0^, x)} , and 

V* = (b*, M, f, H). Then v* satisfies ds-property iff )<_e M. .. 

argument ; 

(=> ) Suppose V* satisfies ds-property. Then ><_ e M. . by 

I J 

definition. 



(=> ) Suppose x^ e M... Then, since (S., 0., x) e b*, the 

I J 'J 

proposition ((S., 0., x) e b* =-> x_£ f1. .) is true; therefore, 
V* satisfies ds-property. 



corollary A3 ; Suppose v = (b, M, f, H) is a secure state, 

(S^., Oy x) O, b* = b U{(S., Oy x)}, and v* = (b*, M, f, H), 

Then v* is a secure state iff 

(i) S. e Sj and the conditions of theorems A7 and A9 
are met, or 
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Cii) S. e S' and the conditions of theorems A7, A8, and 
A9 are met. 



theorem A10 : Let p be a rule and p{Rj^ ) = (D^^, v*), vihere 

V = (b, M, f, H) and v* = (b*, M*, f*, H*). 

(i) If b*Q b and f* = f, then p is ss-property-preserving. 

(ii) If b*Q b and f* = f, then p is *-property-preserving. 



(iii) If b* c b and M..*^^. . for all i and j. then p 

'J 'J 

is ds-property-preserving. 



(iv) If b*9 b, f * = f, and f1*. 2 M.. for all i and j, 
then p is secure-state-preserving. 



argument : 

(i) If V satisfies the ss-property, then (S, 0, x) e b* 
with X. = w or _r implies (S, 0, )<^) e b so that 
fg (S) » f (0) by assumption. Hence f^* (S) » f^* (0) 
since f* = f. Thus v* satisfies ss-property and p 
is ss-property-preserving. 

(ii) and (iii) are proved in v^ays exactly analogous to 
the proof of (i). Implications (i), (ii), and 
(iii) prove implication (iv). 
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Rules 



notation 



The symbol "^" will be used in expressions of the form "A\B" 
to mean "proposition A except as modified by proposition B". 
Some examples follow. Suppose f is a function from the set 
{A, B, C} to the set {0, 1, 3} defined by: 

f(A) =1 or (A, 1) e f, 
f(B) = or (B, 0) e f, 
f(C) = 3 or (C, 3) e f. 

Then f\(C, 1) or f\f(C) = 1 means 

f(A) = 1, 
f(B) = 0, 
f(C) = 1. 



Suppose M is a matrix. Then M\M. . <- a means the matrix 

th 
obtained from M by replacing the (i, j) element by a. 

M\M. . U {x} means the matrix obtained from M by adding the 

element x to the (i, j) set entry. Similarly, the notation 



f\f <- f U (OwFufu\> L ) [see Rule 8] means the function obtained 
from f by replacing f by f plus the ordered pair 

^%EW(H)' "-u^ ^^0 (°NEW(H)^ = "-u^- "^^^ notation NEW(H) denotes 
a selection function with respect to the hierarchy H which 
specifies an arbitrary inactive object index. 



definitions of rules 

The definitions of Rules 1 to 11 are given in the following 
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pages. These rules preserve compatibility and assume the presence 
of trusted subjects. 
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descriptions of rules 
rule 1: get- read 

Request is of the form (g, S., 0., r.) 



(r). 



Subject S. requests access to object 0. in read-only mode 



If request is not of the proper form, then response is T^with 
no state change. 

Otherwise, the following conditions are checked: 



(i) S. has current access permission to 0. in 

1 J 



read-only mode. 



(ii) the security level of S. dominates the security 
level of 0.. 

(iii) S. is a trusted subject or the current security 
level of S. dominates the security level of 0.. 



If conditions (i) - (iii) are met, then the response is ^es_ 
and the state changes by adding an entry in the current access list 
indicating that S. has read-only access to 0.. 

Otherv/ise the response is no with no state change. 
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rule 2: get-append 



Request is of the form (g, S., 0., a^). 

Subject S. requests access to object 0. in append mode (a^) 

' u 

If request is not of the proper form, then response is ?_ 
with no state change. 



Othervn'se the following conditions are checked: 



(i) S. has current access permission to 0. in 
append mode. 



(ii) S. is a trusted subject or the security level 
of 0. dominates the current security level of 
S.. 

If conditions (i) - (ii) are met, then the response is yes and 
the state changes by adding an entry to the current access list 
indicating that S. has append access to 0.. 

Otherwise the response is no with no state change. 

rule 3: get-execute 

Request is of the form (g, S. , 0., e). 



(e). 



Subject S. requests access to object 0. in execute mode 
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If request is not of the proper form, then the response is ]_ 
vn'th no state change. 

Otherwise the following condition is checked: 

(i) S. has current access permission to 0. in execute 
mode. 

If condition (i) is met, then the response is yes and the 
state changes by adding an entry to the current access list 
indicating that S. has execute access to 0.. 

Otherwise the response is no viith no state change. 

rule 4: get-write 

Request is of the form (g, S. , 0., w). 

' u 

Subject S. requests access to object 0. in write mode (w) , 

' u 

If request is not of the proper form, then the response is ?. 
with no state change. 

Otherwise the following conditions are checked: 

(i) S. has current access permission to 0- in write 

' u 

mode. 



(ii) the security level of S. dominates the security 
level of 0.. 

J 
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(iii) S. is a trusted subject or the current security 
level of S. equals the security level of 0.. 

If conditions (i) - (iii) are met, then the response is ye£ 
and the state changes by adding an entry to the current access list 
indicating that S. has write access to 0.. 

Otherwise the response is no with no state change. 



rule 5: release-read/execute/write/append 

Request is of the form (r, S^. , 0., x^). 

Subject S. signals the release of access to object 0. in 
access mode x. 

If request is not of the proper form, then the response is ?_ 
with no state change. 

Otherwise the response is yes and the state changes by 
removing an entry from the current access list indicating that S^ 
no longer has access to 0. in mode x^. 



rule 6: qive-read/execute/write/append 

Request is of the form (S^, g, S^ , 0., x^) , 



116 
ToleammoreL _n and OCR goto Th 



Subject S, gives to subject S. access permission to 0. 

A 1 J 

in mode x^. 

If request is not of the proper form, then response is T^with 
no state change. 

Otherwise the following condition is checked: 



(i) object 0. is not the root object of the hierarchy 

J 

and subject S^ has current access in write mode to 
O.'s immediately superior object (0<.f-jJ i" the 
hierarchy 



or 

0^ is the root object and S,is allowed to give 
access permission to the root object in the 
current state. 

If condition (i) is met, then the response is yes and the 
state is changed by adding access permission for S. to 0. in mode 
x^ to the access permission matrix. 

Otherwise the response is jio^with no state change. 

rule 7: rescind-read/execute/write/append 

Request is of the form (S^, r, S . , 0.., x). 

A 1 J 

Subject S, rescinds subject S.'s access permission to 0. 

A 1 J 

in mode ><^. 
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If request is not of the proper form, then response is ?^ v/ith 
no state change. 

Otherwise the following condition is checked: 



(i) object 0. is not the root object of the 
hierarchy and subject S has current access 
in write mode to O.'s immediately superior 

J 



object (Os(-j)) ■"" the hierarchy, 



or 

0. is not the root object and S, is allowed to 

J . • u 

rescind access permission to the root object in the 
current state. 

If condition (i) is met, then response is ^[es_ and the state 
changes as follows: 

(i) removal of an entry from the current access list 
indicating that S^. no longer has access to 0^. 
in mode x^. 

(ii) removal of access permission for S^ to 0. in 
mode )<^ f rom the access permission matrix. 

Otherwise the response is no^vnth no state change. 
rule 8: create-object 

Request is of the form (g, S^. , 0., L^). 
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Subject S. generates an object. S. requests creation 
(i.e., attachment) of an object, denoted Omeu(u\> having security 
level L , directly below object 0. in the hierarchy 

If request is not of the proper form, then response is ?^ with 
no state change. 

Otherwise the following conditions are checked: 

(i) S. has current access to 0. in write or append 
mode. 

(ii) the security level L dominates the security level 
of 0.. 

J 

If conditions (i) - (ii) are met, then response is ^^ and the 
state changes as follows: 

(i) the security level function is updated by adding the 
ordered pair (0,^£,^(^\. L^^) (i.e., the security level 
^■^ °NEW(H) ''^ >"ecorded as L^^). 

(ii) the object 0|^g,^/^N is added to the hierarchy such 
that 0,^£,^(^j is directly below Oj(0^£,^(^j e H(Oj)). 

Otherwise response is no_ with no state change. 

rule 9: delete-object-group 

Pxequest is of the form (S^. , 0.)- 
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Subject S. requests that object 0. be deleted (detached from 
the hierarchy). This results in deletion of all objects in the 
hierarchy which are inferion to 0.. 

J 

If request is not of the proper form, then response is ?^ with 
no state change. 

Otherwise the following condition is checked: 

(i) S. has current write access to the object 
immediately superior to 0. (0-/--\) and 0. 
is not the root object. 

If condition (i) is met, then response is yes and the state 
changes as follows: 



(i) all entries in the current access list giving subjects 

access to 0. or any object inferior to 0. in any 
J J 

mode are removed from the current access list. 



(ii) all entries in the access permission matrix giving 
subjects access permission to 0. or any object 

J 

inferior to 0. in any mode are removed from the 

J 

access permission matrix. 

(iii) 0. and all objects inferior to 0. are removed 
J J 

from the hierarchy. 

Otherwise response is n£ with no state change. 
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rule 10: change-subject-current-security-level 

Request is of the form (S., L ). 

Subject S. requests that its current security level be 
changed to L . 

If request is not of the proper form, then response is T^with 
no state change. 

Otherwise the following conditions are checked: 

(i) S. is a trusted subject or if S^. 's security level 
were changed to L , then the resulting state 
would satisfy *-property. 

(ii) the security level of S^. dominates L^. 



If conditions (i) - (ii) are met, then response is ^^ and the 
state changes by changing the current security level of S^. to L^. 

Otherwise response is no^with no state change. 

rule 11: change-object-security-level 

Request is of the form (r, S^. , 0., L^). 

Subject S. requests that the security level of object 0. be 

1 J 

changed to L . 

If request is not of the proper form, then response is ?^with 
no state change. 
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otherwise the following conditions are checked: 

(i) S^. is a trusted subject and the current security level 
of S^. dominates the security level of 0. 

or 



the current security level of S^. dominates L and 

L dominates the security level of 0.. 

J 

(ii) if any subject S has current access to 0. in 

J 

read or write mode, then the current security level 
of S dominates L . 

(iii) if O.'s security level were changed to L , then 
J u 

the resulting state would satisfy *-property. 

(iv) if O.'s security level were changed to L , then 
compatibility would be preserved in the hierarchy. 

(v) S. is allowed to change O.'s security level. 

J 

If conditions (i) - (v) are met, then response is yes and the 
state changes by changing the security level of 0. to L . 

Otherwise response is it£ with no state change. 

proofs 



rule 1 



Suppose V satisfies ss-property, *-property rel S', and 
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ds-property and Rj^ e R. Rl (Rj^, v) = {D^, v*) with: 

(i) V* = V or 

(ii) V* = (bU (S., 0., r), M, f, H) 

If (i), then v* satisfies ss-property, *-property, and ds-property 
since v does. 

Suppose (ii). If (S^, 0., r) e b, then v* = v. Suppose 
(S., 0., r) ^ b. Then, since f.(S.) x fAO.) according to Rl , v* 
satisfies ss-property by theorem A7 and, since 
f^(S^.) » fo(O-) if S^. e S' according to Rl , v* satisfies 
♦-property rel S' by theorem A8 and, since r. e M. . according 
to Rl , V* satisfies ds-property by theorem A9. 

Therefore Rl is secure-state-preserving by corollary A3. 
rule 2 

Suppose V satisfies ss-property, *-property rel S', and 
ds-property and Rj^ e R. R2(R|^, v) = (D^^, v*) with 

(i) V* = V or 

(ii) V* = (bu(S., Oy a), M, f, H) 

Suppose (ii). If (S^., 0., £) e b, then v* = v. Suppose 
(S., 0., a^) ^ b. Then v* satisfies ss-property by theorem A7 

and, since fg^^j^ ^ ^c^^i ^ ^^ ^i ^ ^' according to R2, v* 
satisfies *-property rel S' by theorem A8 and, since a_ e M^.^ 
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according to R2, v* satisfies ds-property by theorem A9. 

Therefore R2 is secure-state-preserving by corollary A3. 
rule 3 

Suppose V is a secure state and R. e R. 

Suppose V* = (b U (S., 0., e), M, f, H) and (S., 0., a_) i b. 

I J 'J 

Then v* satisfies ss-property by theorem A7 and v* satisfies 
♦-property rel S' by theorem A8 and, since e^ e M. . according to 
R3, V* satisfies ds-property by theorem A9. 

Therefore R3 is secure-state-preserving by corollary A3. 

rule 4 

Suppose V is a secure state and R^ e R. 

Suppose V* = (b u (S^. , Oj, w ) , M, f, H) and (S^., 0^, w) i b. 
Then, since f^CS^.) » fgCOj) according to R4, v* satisfies ss-property by 
theorem A7 and, since f^(S^.) = fo(Oj) if S. eS', v* satisfies 
♦-property rel S' by theorem A8 and, since w e M^. . according to 
R4, V* satisfies ds-property by theorem A9. 

Therefore R4 is secure-state-preserving by corollary A3. 

rule 5 

Suppose V is a secure state. 
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According to R5 b* c b, M* = M, and f* = f. Therefore 
V* is a secure state and R5 is secure-state-preserving by 
theorem AlO (iv). 

rule 6 

Suppose V is a secure state. 

According to R6 b* = b and M* = M u {><.}. Therefore v* is 
a secure state and R6 is secure-state-preserving by theorem AlO 
(iv). 

rule 7 

Suppose V is a secure state. 

According to R7 v* = v or v* = (b - (S., 0., x), M\M.. - {x}, f, H) 
If the latter then it is still the case that (S , 0. , x.) e b => x^ e H^^. 
R7 is ss-property-preserving and *-property-preserving by theorem 
AlO (i) and (iv). Therefore v* is a secure state and R7 is 
secure-state-preserving. 

rule 8 

Suppose V is a secure state. 

According to R8 b* = b and M* = M. Since (S^, ^nEW(H)' ^ ^ ^ 
for any S, in S and x in A, v* is a secure state and R8 
is secure-state-preserving. 
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rule 9 

Suppose V is a secure state. 

According to R9 if (S , ., x) e b*, then x e M , so v* 

" " "~ — aa 

IS a secure state. Therefore R9 is secure-state-preserving. 

rule 10 

Suppose V is a secure state. 

According to RIO if f * ^ f then f* = f \f^(S.) <- L and 
*10 (R|^, v) is true so v* is a secure state. Therefore RIO is 
secure-state-preserving. 



rule n 



Suppose V is a secure state. 



According to Rll if f * ^ f then f* = f\f (0.)<- L and 
*n (R|^. v) is true so v* is a secure state. Therefore Rll is 
secure-state-preserving. 
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